Post Schrems II Guidance: EU Regulators Raise Bar For Global Data Transfers

On 15 January, 2021, the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) adopted a joint opinion (“Joint Opinion”) on the draft new sets of Standard Contractual Clauses (“New SCCs”) for international transfers released by the European Commission in November 2020.

The EDPB and the EDPS welcome the New SCCs but ask for clarity in some key areas, especially following the Court of Justice of the European Union’s (“CJEU”) decision in Schrems II and related Recommendations issued by the EDPB on 11 November, 2020 (“Recommendations”). Whilst neither the New SCCs nor the Recommendations are final, the Joint Opinion largely endorses the approach taken thus far.

Key Takeaways

• The current SCCs were adopted prior GDPR and have been commonly criticized for not providing a mechanism for EEA-based processors which intend to transfer personal data from the EEA to a third country, such as the U.S., and for controllers or processors which are based outside the EEA. The New SCCs deliver a flexible transfer mechanism for processors and controllers in the above circumstances.
  
  
• In the wake of the Schrems II decision, the Joint Opinion endorses the EDPB’s Recommendations (implementing the “supplementary measures” to legitimize transfers) which will be conducted as transfer assessments when implementing the New SCCs.
  
  
• Businesses will need to carefully assess and understand these new obligations under the New SCCs and their impact on current and future data exports. Once adopted, the New SCCs will be effective. If the existing SCCs are already being relied on, there will be a one-year grace period to implement the New SCCs into existing contracts.

Background

The CJEU’s decision of 16 July, 2020 in Schrems II said the current SCCs remain a valid mechanism for international transfers but required data exporters (controllers and recipients of personal data) to adopt “supplementary measures” if the law in the recipient country does not provide “essentially equivalent” protections to safeguard personal data as the EU (we wrote about the CJEU decision here).

In the EDPB’s Recommendations, which clarified what those supplementary measures are, the EDPB stated that exporters must avoid or cease transfers of EU/UK personal data if, in the absence of supplementary measures, equivalent protections cannot be afforded.

Some of the more challenging aspects of the Recommendations relate to transfer scenarios for which, according to the EDPB, no effective supplementary measures could be found, such as transfers of personal data to processors which require access to the data in the clear (unencrypted). We will be providing more analysis on these areas in a later client alert.

The New SCCs and the Joint Opinion

On 12 November, 2020, the European Commission issued the New SCCs (that are attached to a draft Commission’s Implementing Decision). The Schrems II ruling, which invalidated the Privacy Shield, helped to accelerate this process. With no replacement for the Privacy Shield, the New SCCs provide a solution to legitimize international transfers of personal data.

The New SCCs include several modules that companies can use depending on the transfer scenarios, specifically: (i) controller-to-controller transfers, (2) controller-to-processor transfers, (3) processor-to-processor transfers, and (4) processor-to-controller transfers. Some important points to note from the Joint Opinion:

1. Scope of the New SCCs. The New SCCs provide that they only apply when the “data importer” is not directly subject to the GDPR itself — suggesting that SCCs (or other data transfer mechanisms) may not be needed when personal data is transferred to a company outside of the EU that is already subject to the GDPR. However, this approach does not seem to be in line with the GDPR data transfer rules, which are applicable to all controllers and processors who are subject to the GDPR. The Joint Opinion asks the Commission to remove ambiguities and clarify the scope of the New SCCs.
   
   
2. Data Transfer Assessment. The New SCCs require data importers to document their data transfer assessment and make it available to the data exporter. The Joint Opinion requests clarification on certain related matters (such as: whether assessments should consider all the factors listed in the EDPB Recommendations; whether the data transfer assessment should consider only objective factors and not rely on subjective ones such as the likelihood of access to the personal data by public authorities; whether the relevant data transfer assessment will need to be attached by the parties to the New SCCs prior to their signature), which could increase the burden on companies when entering into the New SCCs.
   
   
3. Multiple entities. The Joint Opinion suggests that where there are multiple entities to the New SCCs, the SCCs should require more detail as to the specific allocation of responsibilities and processing operations between the parties in order to avoid confusion.

Conclusion

EU regulators have the difficult task of addressing the fundamental clash between EU data protection law (which recognizes data protection as a fundamental human right) and U.S. and other foreign national security laws that permit law enforcement and intelligence agencies to compel personal data within the importer’s possession or control and lack sufficient rights for EU individuals. That clash makes it practically impossible in many cases to satisfy the ‘essentially equivalent’ level of protection standard outlined by the CJEU decision.

Yet the authorities’ interpretation of the CJEU’s decision in Schrems II is a highly conservative one, which creates significant and complex hurdles to global data transfers under any transfer tool. The guidance suggests that the usual contractual solutions (such as SCCs or BCRs) will no longer be appropriate or easily implemented, and we expect a significant focus on technical and organizational measures to address these challenges. This may compel non-EU businesses to consider their structures and strategically re-think data flows.

We are hopeful that the final versions of the Recommendations and the New SCCs (expected to be issued by mid-2021) will address some of the issues and questions raised by the documents made available for consultation and will provide practical, clear steps that companies can take to continue transferring data internationally. That said, businesses should not expect the New SCCs to provide a solution to all international data transfers.

Goodwin’s long-standing Privacy & Cybersecurity practice offers a fully integrated, multi-disciplinary approach to clients’ data protection needs. Our global team is uniquely positioned to provide the most innovative solutions to guide clients through the collection, use, processing, and protection of their most sensitive information. Our senior lawyers include four Legal 500 recommended lawyers and a “Next Generation Partner” in Cyber Law and Data Breach Response, several former federal prosecutors, and multiple FTC, GDPR, CCPA, HIPAA, GLBA, and COPPA experts. We deliver practical solutions to complex regulatory challenges and design strategic privacy, information security, and compliance programs for startups, global enterprises, and everything in between. We have handled hundreds of data breaches, including high-profile, global incidents involving everything from ransomware to nation-state attacks and advise on over 700 public and private transactions per year.